OpenAI is soon expected to establish a data center in India, a move that carries significant implications for Indian users and neighboring regions. While this development fuels excitement about India’s AI adoption journey, it has also sparked critical discussions around AI technology’s intersection with regulatory compliance, data localization, and digital infrastructure. This initiative represents a monumental stride in India’s technological landscape, influencing data governance, cybersecurity, cloud regulations, and innovation ecosystems. In an exclusive conversation with Tech Achieve Media, Gaurav Sahay, Practice Head – Technology & General Corporate at Fox Mandal & Associates LLP, highlights profound legal, regulatory, and operational ramifications of OpenAI’s presence in India, offering insights into the path forward for businesses navigating the evolving AI landscape.
TAM: How will OpenAI’s establishment of a data centre in India reshape the legal landscape for AI regulation, particularly concerning the DPDP Act and data localization requirements?
Gaurav Sahay: OpenAI’s initiative to establish a data centre in India signifies a strategic alignment with the country’s evolving regulatory framework for data protection and localization, a proactive adaptation to the country’s dynamic regulatory landscape, ensuring compliance with data protection laws and reinforcing its commitment to responsible AI development within the jurisdiction.
OpenAI’s presence in India is poised to influence the legal and regulatory environment for AI. A local data centre will establish a tangible nexus, clarify jurisdictional boundaries and enhance regulatory oversight. Operating within India shall effectively uphold the rights of Indian data principals, including rights to access, correction, and erasure of personal data. Local data storage and processing mitigates risks associated with cross-border data flows, aligning with national security and public order considerations emphasized in the DPDP framework.
TAM: What are the critical implications of data localization for businesses leveraging AI technologies, and how can they navigate compliance while maintaining operational efficiency?
Gaurav Sahay: Data localization strengthens data security, control but also creates operational and financial challenges for businesses. To comply with India’s Digital Personal Data Protection (DPDP) Act, 2023, companies—especially those classified as Significant Data Fiduciaries (SDFs)—must invest in local data storage through in-house data centers or partnerships with Indian cloud providers. This increases costs and limits cross-border data transfers, which can restrict AI model training by reducing access to diverse datasets, potentially impacting AI accuracy and fairness. Businesses that rely on real-time data processing, cloud-based AI tools, or offshore analytics must reassess their data-sharing strategies.
Financial services, healthcare, and e-commerce must align with sector-specific regulations from bodies like RBI, IRDAI, and TRAI. Given the evolving AI regulatory landscape, companies should proactively engage with authorities like MeitY to clarify compliance requirements and seek exemptions where applicable. A strong data governance framework, combined with strategic collaboration with regulators and local tech partners, will be key to ensuring AI-driven innovation continues within India’s legal framework.
TAM: What are the key challenges organizations might face in ensuring compliance with India’s cloud computing and big data governance frameworks in the context of AI-driven innovation?
Gaurav Sahay: Organizations leveraging cloud computing and big data for AI-driven innovation in India may face legal and regulatory challenges in ensuring compliance with evolving data protection and governance frameworks. The Digital Personal Data Protection (DPDP) Act, 2023, along with sector-specific regulations from authorities like the RBI, IRDAI, and TRAI, imposes strict obligations on data storage, processing, and cross-border transfers. Compliance challenges arise due to data localization requirements, which may necessitate investment in local cloud infrastructure operational complexity. Additionally, AI-driven systems rely on large datasets for training and decision-making, but restrictions on data sharing and real-time processing across jurisdictions can hinder model performance and accuracy. Algorithmic transparency and bias concerns must be addressed, as regulators may require businesses to ensure AI systems operate fairly and without discrimination.
TAM: In light of OpenAI’s move, how do data transfer agreements need to evolve to address interoperability and privacy safeguards across borders? please provide your response in simple legal paragraph format.
Gaurav Sahay: Data Transfer Agreements (DTAs) must evolve to address interoperability and privacy safeguards across jurisdictions. The Digital Personal Data Protection (DPDP) Act, 2023, permits cross-border data transfers to certain government-approved countries, but businesses handling AI-driven data processing must ensure that DTAs include clear contractual obligations for data security, lawful processing, and user consent compliance. These agreements should align with international privacy standards, such as the EU’s GDPR or the APEC Cross-Border Privacy Rules (CBPRs), to ensure smooth data exchange while meeting Indian regulatory requirements. Organizations must implement Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to establish uniform data protection obligations across different legal systems. Additionally, DTAs should specify encryption protocols, access controls, and data minimization measures to prevent unauthorized access or misuse. Given the evolving nature of data laws, businesses should regularly review and update their DTAs in consultation with regulatory authorities and legal experts to mitigate compliance risks while enabling seamless AI innovation across borders.
TAM: What role can IoT and big data analytics play in strengthening AI adoption while adhering to cybersecurity and regulatory compliance standards?
Gaurav Sahay: IoT and big data analytics enhances AI adoption by enabling real-time data processing while ensuring compliance with cybersecurity and regulatory standards under the DPDP Act, 2023 and sectoral laws. To meet data security and localization mandates, businesses must implement encryption, access controls, and anonymization while using privacy-preserving AI techniques like federated learning. Compliance with cross-border data transfer rules requires strong data governance frameworks aligned with Indian and global privacy laws. By integrating AI governance policies, organizations can drive AI innovation while ensuring legal and ethical compliance.
TAM: How might India’s digital infrastructure and policy ecosystem need to adapt to support seamless integration of global AI technologies like OpenAI’s models?
Gaurav Sahay: India’s digital infrastructure and policy ecosystem must evolve to support the seamless integration of global AI technologies like OpenAI’s models while ensuring regulatory compliance under the DPDP Act, 2023 and sectoral laws. This requires scalable cloud infrastructure, secure data centres, and AI-specific regulatory guidelines to address data localization, cross-border transfers, and cybersecurity risks. Policymakers must establish clear AI governance frameworks, including standardized data-sharing protocols, algorithmic transparency requirements, and ethical AI guidelines, ensuring alignment with global best practices like GDPR. Strengthening public-private collaboration, streamlining regulatory approvals, and enhancing interoperability between domestic and international AI ecosystems will be crucial for fostering AI-driven innovation while maintaining legal and ethical safeguards.
